Remote Desktop Protocol (RDP) has been known since 2016 as a way to attack some computers and networks. Malicious cyber actors, hackers, have developed methods of identifying and exploiting vulnerable RDP sessions via the Internet to steal identities, login credentials and install and launch ransomeware attacks.
DNV GL recommends that business review and understand what remote access is available on their network and take steps to reduce the risk of being hacked, which in some cases may mean disabling RDP all together.
Why are RDP hacks hard to detect?
RDP is a network protocol that allows a person to remotely control a computer that is attached to the internet. The remote person sees whatever is on the screen of the computer they are controlling and their keyboard and mouse act just like the ones physically attached to the remote computer. For a remote desktop connection to be established, the local and remote machines need to authenticate via a username and password. Cyber actors can infiltrate the connection between the machines and inject malware or ransomware into the remote system. Attacks using the RDP protocol do not require user input, making intrusions difficult to detect.
What are the threats of a Remote Desktop Protocol attack?
Once a hacker finds an accessible system, they will do one of two things and sometimes both. First, they may exploit the system themselves. The other option is to sell the stolen RDP login credentials on the Dark Web. The Dark Web is a portion of the internet that is only accessible when using a Tor browser, this area is where most of the criminal activity on the internet is monetized. The value of the credentials is based on the location of the compromised system, and what the system has access to. The possible threats from someone accessing a computer on your network via RDP include data and financial theft. Malware and ransomware can be installed and activated to send infected e-mails to your contacts, vendors or customers.
What can you do to mitigate the RDP risk and protect your organization?
RDP has the ability to entirely control a computer remotely, so the use of RDP should be monitored, regulated and controlled. All of the risks in using RDP can be mitigated, bringing the risk level very near zero. Here are some of the things you can do:
- Make sure all security patches have been located on your computers
- Restrict login attempts to three and then lock the account
- If not using RDP, close TCP Port 3389 on the computers and routers
- Scan your network for computers using RDP and if the service is not needed disable it
- Have a third-party (DNV GL) cyber security scan performed on your network
- Make sure all security patches have been loaded
- Make sure any public cloud-based systems are not using RDP
- Make sure the users are using strong passwords and that account lockout policies are enforced
- Use two-factor authentication
- Enable event logging and review logs on a regular, at least weekly, basis
- Ensure any third-party vendors that require RDP access have cyber security procedures in place and are following them
- Never have RDP active on a critical network device, such as a server
- Limit the number of third-party vendors and employees that have access to RDP connections
- Use VPN connections whenever possible to encrypt RDP traffic
How can DNV GL help prevent RDP attacks
DNV GL offer a number of other cyber security services and can help to perform vulnerability assessments or penetration tests on your network and devices. If we discover any vulnerabilities a mitigation plan will be developed for each one and presented in a report. We are also available to help implement the proposed mitigation plan.